Why SOC 2 May Not Prove Security Anymore

Why SOC 2 May Not Prove Security Anymore

From Trust vs. by HITRUST Alliance

October 9, 2025 · 41 min · Season 3 · Episode 6

About this episode

In this episode, the Trust vs. team discusses the current state of SOC 2 with cybersecurity expert AJ Yawn, exploring its effectiveness and implications for security assurance.

SOC 2 might be everywhere, but is it actually working? In this episode, the Trust vs. team welcomes cybersecurity leader, author, and GRC engineer AJ Yawn to break down the state of SOC 2 today and why its greatest strength may also be its biggest weakness. AJ brings years of hands-on experience in auditing, engineering, and startup leadership to explain how SOC 2 shifted from a signal of security to a sales checkbox and what that means for TPRM. We talk about flexibility vs. consistency, outdated frameworks, why some SOC 2s are nearly useless, and how organizations can move toward better assurance by asking better questions. Meet Ryan: https://www.linkedin.com/in/ryan-patrick-3699117a/ Meet Jeremy: https://www.linkedin.com/in/jeremyhuval Meet AJ: https://www.linkedin.com/in/ajyawn/ Read AJ’s Book: https://www.amazon.com/GRC-ENGINEERING-AWS-Hands-Engineering/dp/B0FDLZX4BP

People in this episode

Hosts: Ryan Patrick, Jeremy Huval

Guest: AJ Yawn

Topics covered

  • SOC 2
  • cybersecurity
  • GRC
  • audit
  • TPRM
  • assurance

Keywords

  • SOC 2
  • security
  • cybersecurity
  • audit
  • GRC
  • TPRM
  • assurance
  • flexibility
  • frameworks

Mentioned in this episode

Organizations: HITRUST Alliance

More episodes of Trust vs.

Explore listener stats, chart rankings, contacts and more on the Trust vs. podcast page.